Total
1235 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-14478 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2025-04-17 | 7.1 High |
| A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML files to access local or remote content. A successful exploit could potentially cause a denial-of-service condition and allow the attacker to arbitrarily read any local file via system-level services. | ||||
| CVE-2021-42537 | 1 Visam | 1 Vbase Web-remote | 2025-04-17 | 5.9 Medium |
| VISAM VBASE version 11.6.0.6 processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. | ||||
| CVE-2022-47514 | 1 Xml-rpc.net Project | 1 Xml-rpc.net | 2025-04-17 | 8.8 High |
| An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request. | ||||
| CVE-2021-44477 | 1 Ge | 1 Toolboxst | 2025-04-16 | 7.5 High |
| GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file. | ||||
| CVE-2022-1018 | 1 Rockwellautomation | 3 Connected Components Workbench, Isagraf, Safety Instrumented Systems Workstation | 2025-04-16 | 5.5 Medium |
| When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality. | ||||
| CVE-2021-43990 | 1 Fanuc | 1 Roboguide | 2025-04-16 | 6.1 Medium |
| The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call. | ||||
| CVE-2022-1331 | 1 Deltaww | 1 Dmars | 2025-04-16 | 5.5 Medium |
| In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized information disclosure. | ||||
| CVE-2022-1704 | 1 Inductiveautomation | 1 Ignition | 2025-04-16 | 7.6 High |
| Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup. | ||||
| CVE-2022-2759 | 1 Deltaww | 1 Delta Robot Automation Studio | 2025-04-16 | 5.5 Medium |
| Delta Electronics Delta Robot Automation Studio (DRAS) versions prior to 1.13.20 are affected by improper restrictions where the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. This may allow an attacker to view sensitive documents and information on the affected host. | ||||
| CVE-2024-46603 | 1 Elspec-ltd | 2 G5dfr, G5dfr Firmware | 2025-04-16 | 7.5 High |
| An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder Firmware v1.2.1.12 allows attackers to cause a Denial of Service (DoS) via a crafted XML payload. | ||||
| CVE-2024-46602 | 1 Elspec-ltd | 2 G5dfr, G5dfr Firmware | 2025-04-16 | 7.5 High |
| An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. An XML External Entity (XXE) vulnerability may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload. | ||||
| CVE-2025-31497 | 2025-04-16 | 7.5 High | ||
| TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. The Document Conversion Service contains a critical XML External Entity (XXE) Injection vulnerability in its document conversion functionality. The service processes XML files during the conversion process but fails to disable external entity processing, allowing an attacker to read arbitrary files from the server's filesystem. This vulnerability could allow attackers to read sensitive files from the server's filesystem, potentially exposing configuration files, credentials, or other confidential information. Additionally, depending on the server configuration, this could potentially be used to perform server-side request forgery (SSRF) attacks by making the server connect to internal services. This issue is patched in version 1.2.4. A workaround for this vulnerability includes disabling external entity processing in the XML parser by setting the appropriate security features (e.g., XMLConstants.FEATURE_SECURE_PROCESSING). | ||||
| CVE-2023-36419 | 1 Microsoft | 1 Azure Hdinsights | 2025-04-14 | 8.8 High |
| Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability | ||||
| CVE-2022-41967 | 1 Hypera | 1 Dragonfly | 2025-04-14 | 7 High |
| Dragonfly is a Java runtime dependency management library. Dragonfly v0.3.0-SNAPSHOT does not configure DocumentBuilderFactory to prevent XML external entity (XXE) attacks. This issue is patched in 0.3.1-SNAPSHOT. As a workaround, since Dragonfly only parses XML `SNAPSHOT` versions are being resolved, this vulnerability may be avoided by not trying to resolve `SNAPSHOT` versions. | ||||
| CVE-2014-3682 | 1 Redhat | 3 Jboss Bpms, Jboss Brms, Jbpm-designer | 2025-04-12 | N/A |
| XML external entity (XXE) vulnerability in the JBPMBpmn2ResourceImpl function in designer/bpmn2/resource/JBPMBpmn2ResourceImpl.java in jbpm-designer 6.0.x and 6.2.x allows remote attackers to read arbitrary files and possibly have other unspecified impact by importing a crafted BPMN2 file. | ||||
| CVE-2014-3485 | 1 Redhat | 2 Enterprise Virtualization, Rhev Manager | 2025-04-12 | N/A |
| The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue. | ||||
| CVE-2014-3481 | 1 Redhat | 6 Jboss Data Grid, Jboss Data Virtualization, Jboss Enterprise Application Platform and 3 more | 2025-04-12 | N/A |
| org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary files via unspecified vectors, related to an XML External Entity (XXE) issue. | ||||
| CVE-2016-3720 | 2 Fasterxml, Fedoraproject | 2 Jackson-dataformat-xml, Fedora | 2025-04-12 | 9.8 Critical |
| XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors. | ||||
| CVE-2014-0171 | 2 Odata4j Project, Redhat | 2 Odata4j, Jboss Data Virtualization | 2025-04-12 | N/A |
| XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint. | ||||
| CVE-2014-0002 | 2 Apache, Redhat | 9 Camel, Fuse Esb Enterprise, Fuse Management Console and 6 more | 2025-04-12 | N/A |
| The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | ||||